Morgan, Thanks for the quick turnaround!
Ok so that java image openjdk:11-slim, is based on debian:buster-slim. I think that to be safe, it should be discussed on TSC call for awareness. I know that last go around there was some mild debate regarding ubuntu vs alpine. With it now switching to Debian, not sure what the community will feel regarding it. I’ve asked my team to take a look at it and see if we can test with that image. Pam From: "[email protected]" <[email protected]> Date: Tuesday, January 7, 2020 at 5:12 AM To: "DRAGOSH, PAMELA L (PAM)" <[email protected]>, "ZWARICO, AMY" <[email protected]> Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, DESBUREAUX Sylvain TGI/OLN <[email protected]> Subject: [ONAP] [Integration] Java11 ONAP docker Hi Amy and Pam as discussed during the PTL meeting yesterday, I generated a dockerfile for java11. For the moment I do everything in gitlab.com as I do not have the repositories in ONAP. You can find the code here: https://gitlab.com/onap-integration/docker/onap-java<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=rX1G_1ieK1DZji2FZRhhZKInu-kRxDBEQGmX5V2Y5_A&s=6wM6G64lGt-vk46RW6M5pCGlvSMr2qOmI4MLUabkBn4&e=> One of the advantages is that we automatically leverage all the built-in features of gitlab.com (it will take time to do the same from LF repos) - registry: docker built automatically and available in registry.gitlab.com/onap-integration/docker/onap-java:latest - CI including several addons such as container_scanning (with klar '2.4.0' and clair 'v2.1.2') or licence verification https://gitlab.com/onap-integration/docker/onap-java/pipelines/107470068<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_pipelines_107470068&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=rX1G_1ieK1DZji2FZRhhZKInu-kRxDBEQGmX5V2Y5_A&s=Nr2oSGevTn6OFMIB74X71QubFCw3s_XbWtOoB_dIAu0&e=> - security scan results: https://gitlab.com/onap-integration/docker/onap-java/security/dashboard/?project_id=15652149&scope=dismissed&page=1&days=90<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_onap-2Dintegration_docker_onap-2Djava_security_dashboard_-3Fproject-5Fid-3D15652149-26scope-3Ddismissed-26page-3D1-26days-3D90&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=jwTiArcEj6aUX0HjV0M3dT12gUtk7rC07xpgpVZkS_4&m=rX1G_1ieK1DZji2FZRhhZKInu-kRxDBEQGmX5V2Y5_A&s=cU1VYlT0m7xFxU6sDi77USf0_hBBVAT2lbL6EBQKSo4&e=> - 46 vulnearbilities found linked to Debian vulnerabilities which is used by openjdk to build their image (1 high (CVE-2019-18224 in libidn2) , 4 medium, 41 low). the docker itself is very basic I started from openjdk11 official slim images (1 layer, 215Mo (compressed)) I added a onap group and an onap user I created two env variables: - JAVA_SEC_OPTS="" - JAVA_OPTS="-Xms256m -Xmx1g" so it is possible through env variables to overwrite these values. I assume that the jar file is put in /opt/onap/app.jar and I set the entry point as java $JAVA_SEC_OPTS $JAVA_OPTS -jar /opt/$user/app.jar so if you create your docker from this docker, you in theory needs to copy your jar and it should be OK...to be tested Any comments/modifications/suggestions on the Dockerfile welcome The gitlab.com project is under Apache v2 licence and fully Open Source If you wand to be added as member of the gitlab.com project, do not hesitate. /Morgan _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19725): https://lists.onap.org/g/onap-discuss/message/19725 Mute This Topic: https://lists.onap.org/mt/69499333/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
